Created
October 1, 2025 16:33
-
-
Save achantavy/ba1d22ba335fa8d04caed8e311216909 to your computer and use it in GitHub Desktop.
supply-chain-npm-chalk-debug-shaihulud
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // TODO: Adapt to show the _FULL_ list here: https://github.com/Cobenian/shai-hulud-detect/blob/main/compromised-packages.txt | |
| WITH [ | |
| { name: 'ansi-regex', version: '6.2.1' }, | |
| { name: 'ansi-styles', version: '6.2.2' }, | |
| { name: 'backslash', version: '0.2.1' }, | |
| { name: 'chalk', version: '5.6.1' }, | |
| { name: 'chalk-template', version: '1.1.1' }, | |
| { name: 'color-convert', version: '3.1.1' }, | |
| { name: 'color-name', version: '2.0.1' }, | |
| { name: 'color-string', version: '2.1.1' }, | |
| { name: 'debug', version: '4.4.2' }, | |
| { name: 'error-ex', version: '1.3.3' }, | |
| { name: 'has-ansi', version: '6.0.1' }, | |
| { name: 'is-arrayish', version: '0.3.3' }, | |
| { name: 'simple-swizzle', version: '0.2.3' }, | |
| { name: 'slice-ansi', version: '7.1.1' }, | |
| { name: 'strip-ansi', version: '7.1.1' }, | |
| { name: 'supports-color', version: '10.2.1' }, | |
| { name: 'supports-hyperlinks', version: '4.1.1' }, | |
| { name: 'wrap-ansi', version: '9.0.1' }, | |
| // From the DuckDB-adjacent extension of the same campaign: | |
| { name: '@coveops/abi', version: '2.0.1' }, | |
| { name: 'duckdb', version: '1.3.3' }, | |
| { name: '@duckdb/node-bindings', version: '1.3.3' }, | |
| { name: '@duckdb/duckdb-wasm', version: '1.29.2' }, | |
| { name: '@duckdb/node-api', version: '1.3.3' }, | |
| // From the Shai-Hulud worm wave (some examples): | |
| { name: '@ctrl/tinycolor', version: '4.1.1' }, | |
| { name: '@ctrl/tinycolor', version: '4.1.2' }, | |
| { name: '@ctrl/deluge', version: '1.2.0' }, | |
| { name: '@ctrl/deluge', version: '7.2.1' }, | |
| { name: '@ctrl/deluge', version: '7.2.2' }, | |
| { name: '@ctrl/golang-template', version: '1.4.2' }, | |
| { name: '@ctrl/golang-template', version: '1.4.3' }, | |
| { name: '@ctrl/magnet-link', version: '4.0.3' }, | |
| { name: '@ctrl/magnet-link', version: '4.0.4' }, | |
| { name: '@ahmedhfarag/ngx-perfect-scrollbar', version: '20.0.20' }, | |
| { name: '@ahmedhfarag/ngx-virtual-scroller', version: '4.0.4' }, | |
| { name: '@art-ws/common', version: '2.0.22' }, | |
| { name: '@art-ws/common', version: '2.0.28' }, | |
| // … (many more in that wave) … | |
| { name: 'rxnt-authentication', version: '0.0.3' }, | |
| { name: 'rxnt-authentication', version: '0.0.4' } | |
| ] AS vulnerable | |
| UNWIND vulnerable AS v | |
| MATCH (d:Dependency {ecosystem: 'npm', name: v.name})--(manifest:DependencyGraphManifest)--(r:GitHubRepository) | |
| RETURN r.fullname as repo, d.name, d.requirements as current_version, v.version AS vulnerable_version, | |
| (REPLACE(d.requirements, "= ", "") = v.version) AS is_vulnerable |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment